This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello.

Is there any way to determine from a basic Wireshaark trace if a TOR browser is being used?

There's the tell-tale signs of TCP and TLSv1 use, along with port 9001 and 9030.

But having completed some tests - I've discovered this only worked once over 10 tests!!

Any help would be appreciated.

asked 13 Aug '12, 09:30

DustinCook's gravatar image

DustinCook
21225
accept rate: 0%


There's the tell-tale signs of TCP and TLSv1 use, along with port 9001 and 9030.

Port 9030 is the directory server port. The client gets the list of nodes from the directory servers, if it does not have that list stored locally. So, you will see that traffic only, if the client was started for the first time, or after a long time.

Port 9001 is the default Tor Port, but many Nodes run on port 443 (or any other port). That is configurable. So, you will only see traffic on this port, if your clients talk to a Tor node with the default port settings.

But having completed some tests - I've discovered this only worked once over 10 tests!!

see above.

The best sign for Tor traffic is this:

  • Look at the certificates. The Tor nodes will present a cert with a "random" name, like these:

    www.wgmyv7mbm6phnpq.net
    www.istzu7bz6fzy2y7if.com

  • Check the Lifetime of the cert. Tor certs are often valid for one year, starting with the current day (weak criteria).

notBefore: utcTime (0) utcTime: 12-08-14 07:51:17 (UTC)
notAfter: utcTime (0) utcTime: 13-08-14 07:51:17 (UTC)

Using tshark, you can find this information as follows:

tshark -r tor_traffic.cap -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509s at.printableString

Sample output

12-08-14 09:02:40 (UTC),13-08-14 09:02:40 (UTC) www.esvo7ripgfcpkpbhl.com,www.j6l4qj5dfvjlkxya.net
12-08-14 09:14:08 (UTC),13-08-14 09:14:08 (UTC) www.voej7w7i5wqhd.com,www.nhbrobe2u5.net
12-08-14 08:08:27 (UTC),13-08-14 08:08:27 (UTC) www.fgzxrfhrgo.net,www.too3xofkwpprvxix.net
12-08-14 07:38:26 (UTC),13-08-14 07:38:26 (UTC) www.3fcvwc4udn7mwj.net,www.iwajitj5g.net
12-08-14 08:36:16 (UTC),13-08-14 08:36:16 (UTC) www.gf2afmvv3jl6dg.net,www.lvdvho3yglfu6.net
12-08-14 08:48:34 (UTC),13-08-14 08:48:34 (UTC) www.gyk2lv67szubbg4ilq.com,www.ujasp2f6.net
12-08-14 09:00:19 (UTC),13-08-14 09:00:19 (UTC) www.b3dthjkqi6py.com,www.qi5itnnxft3l.net
12-08-14 07:40:36 (UTC),13-08-14 07:40:36 (UTC) www.cwrtpgdwvfo.com,www.b2h4tpc5fxaq4l.net
12-08-14 07:45:00 (UTC),13-08-14 07:45:00 (UTC) www.swxvuwbkux5ws.com,www.vlrzxyc7lyjcjqxv.net
12-08-14 08:03:23 (UTC),13-08-14 08:03:23 (UTC) www.vxlyzz7hhbo7reiwg.com,www.tq2bi77acv.net
12-08-14 08:01:07 (UTC),13-08-14 08:01:07 (UTC) www.5syfc6b7xph5.com,www.lqr4alfcyz.net
12-08-14 07:51:17 (UTC),13-08-14 07:51:17 (UTC) www.istzu7bz6fzy2y7if.com,www.wgmyv7mbm6phnpq.net
12-08-14 08:12:22 (UTC),13-08-14 08:12:22 (UTC) www.hrz7noiicfhnnr3w3s.com,www.gixyoknsh7udrxu.net

Now, use a script to check the cert lifetime (1 year, start: today) and the structure of the cert names (more or less random).

HINT: If the Tor node runs on a port that is not dissected as SSL/TLS, you need to add the port to the SSL properties, otherwise you won't see the cert and the lifetime!

Regards
Kurt

permanent link

answered 14 Aug '12, 03:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8
×3

question asked: 13 Aug '12, 09:30

question was seen: 15,121 times

last updated: 14 Aug '12, 03:09

p​o​w​e​r​e​d by O​S​Q​A